Re: New image spam

On 14-Nov-2009, at 10:58, Benny Pedersen wrote: > On lør 14 nov 2009 17:31:11 CET, Alex wrote >> That's a good idea, but an administrative nightmare with many users, >> particularly with the "fail first, correct later" attitude, they would >> kill me. > > i maked a script in php that dump horde ad

Re: New image spam

On lør 14 nov 2009 20:11:09 CET, Homer Parker wrote On Sat, 2009-11-14 at 18:58 +0100, Benny Pedersen wrote: i maked a script in php that dump horde addressbook to whitelist_auth.cf Only if everyone uses webmail... so how do i solve other problems ? if you make me a ldap addressbook and woul

Re: New image spam

On Sat, 2009-11-14 at 18:58 +0100, Benny Pedersen wrote: > i maked a script in php that dump horde addressbook to > whitelist_auth.cf Only if everyone uses webmail... -- Homer Parker

Re: New image spam

On lør 14 nov 2009 17:31:11 CET, Alex wrote That's a good idea, but an administrative nightmare with many users, particularly with the "fail first, correct later" attitude, they would kill me. i maked a script in php that dump horde addressbook to whitelist_auth.cf put that in a daily cron, so

Re: New image spam

> no way of helping.. someone (something) truncated the email in pastbin.. > doesn't have the mime headers with any attachment, in fact, don't see an > attachment. Please find updated one here: http://pastebin.com/m291e486b Benny, > score DKIM_SIGNED 5 > score USER_IN_DKIM_WHITELIST -5.0 > whit

Re: New image spam

On Saturday 14 November 2009, Alex wrote: >Hi all, > >Has anyone else seen an increase in image spam lately? > >http://pastebin.com/m47617898 > >The LOC_IMGSPAM is a local rule I created that simply checks for >/inline/ content disposition. I've changed the @ to # to pass the >pastebin filters. > >

Re: New image spam

On lør 14 nov 2009 07:25:20 CET, Alex wrote Any ideas what I could be missing on catching this one? Please let me know if I can provide any additional information. score DKIM_SIGNED 5 score USER_IN_DKIM_WHITELIST -5.0 whitelist_from_dkim fri...@sbcglobal.net -- xpoint

Re: New image spam

Alex wrote: Hi all, Has anyone else seen an increase in image spam lately? http://pastebin.com/m47617898 The LOC_IMGSPAM is a local rule I created that simply checks for /inline/ content disposition. I've changed the @ to # to pass the pastebin filters. no way of helping.. someone (somethi

New image spam

Hi all, Has anyone else seen an increase in image spam lately? http://pastebin.com/m47617898 The LOC_IMGSPAM is a local rule I created that simply checks for /inline/ content disposition. I've changed the @ to # to pass the pastebin filters. Any ideas what I could be missing on catching this on

Re: New image spam

On Tue, 2009-05-26 at 17:49 +0200, Matus UHLAR - fantomas wrote: > On 26.05.09 11:23, Martin Gregorie wrote: > > Yes - comparing MIME image type to the file extension is already > > obsolete. > > Are you sure? Have you made any measures that tell such comparision is > useless and has much of FPs?

Re: New image spam

Matus UHLAR - fantomas wrote: You need to check the files contents to catch that, and the ImageInfo plugin isn't meant to understand just any kind of content. Well, first issue was only to compare file extension to provided mime type, so it would hit .gif file of type image/jpeg Ah. yes. Th

Re: New image spam

> On Tue, 2009-05-26 at 10:20 +0200, Matus UHLAR - fantomas wrote: > > Well, first issue was only to compare file extension to provided mime type, > > so it would hit .gif file of type image/jpeg > > > > >> or do we need a FileType plugin? On 26.05.09 11:23, Martin Gregorie wrote: > Yes - compari

Re: New image spam

On Tue, 2009-05-26 at 10:20 +0200, Matus UHLAR - fantomas wrote: > Well, first issue was only to compare file extension to provided mime type, > so it would hit .gif file of type image/jpeg > > >> or do we need a FileType plugin? > Yes - comparing MIME image type to the file extension is already o

Re: New image spam

> mouss wrote: >> is there a way to generalize this to other MIME types? I mean a file >> claiming to be a .pdf when it is a .wmv...? On 26.05.09 02:40, Jonas Eckerman wrote: > You need to check the files contents to catch that, and the ImageInfo > plugin isn't meant to understand just any kind

Re: New image spam

mouss wrote: is there a way to generalize this to other MIME types? I mean a file claiming to be a .pdf when it is a .wmv...? You need to check the files contents to catch that, and the ImageInfo plugin isn't meant to understand just any kind of content. or do we need a FileType plugin?

Re: New image spam

Adam Katz a écrit : > Refined to include the ifplugin directive (which if you prefer can go > after the three mimeheader lines). > > ifplugin Mail::SpamAssassin::Plugin::ImageInfo > mimeheader __MIME_GIFContent-Type =~ /image\/gif/i > mimeheader __MIME_PNGContent-Type =~ /image\/png/i > mi

Re: New image spam

Bob Proulx a écrit : > mouss wrote: >> how about >> >> header __CTYPE_MULTIPART Content-Type =~ m{multipart/\w}i >> mimeheader __MIME_CTYPE_IMAGE Content-Type =~ m{image/\w} >> mimeheader __MIME_CTYPE_TEXT Content-Type =~ m{text/\w} >> >> meta MULTIPART_IMG_NO_TEXT (__CTYPE_MULTIPART && __CTYPE_IM

Re: New image spam

Bob Proulx wrote: I like the idea of tagging mismatched types where the actual content doesn't match the stated type. That would be a good idea for a plugin enhancement. Perhaps something based upon libmagic? I've got a plugin that does this. It's the MimeMagic plugin at

Re: New image spam

On Mon, May 25, 2009 05:24, Adam Katz wrote: > ifplugin Mail::SpamAssassin::Plugin::ImageInfo > mimeheader __MIME_GIFContent-Type =~ /image\/gif/i mimeheader is another plugin, so can give lint errors if both is not loaded -- http://localhost/ 100% uptime and 100% mirrored :)

Re: New image spam

Refined to include the ifplugin directive (which if you prefer can go after the three mimeheader lines). ifplugin Mail::SpamAssassin::Plugin::ImageInfo mimeheader __MIME_GIFContent-Type =~ /image\/gif/i mimeheader __MIME_PNGContent-Type =~ /image\/png/i mimeheader __MIME_JPEG Content-Typ

Re: New image spam

Cedric Knight wrote: >> Also, it's not really a JPEG but a PNG, and one with a consistent >> header over the last few weeks: Bob Proulx wrote: > I like the idea of tagging mismatched types where the actual content > doesn't match the stated type. That would be a good idea for a > plugin enhancem

Re: New image spam

mouss wrote: I think image with not text in the body part at all is pretty rare, but I might do something like that if I was sending a picture to myself. and when I send an email to myself with only an image attachment (using thunderbird), this is what I see (note the presence of Content-Typ

Re: New image spam

Cedric Knight wrote: > mimeheader MIME_IMAGE_JPG Content-Type =~ /image\/jpg/ > describe MIME_IMAGE_JPG contains wrong MIME type image\/jpg > score MIME_IMAGE_JPG1.0 This puts a literal '\' in the description. The quoting isn't needed there. But otherwise seems useful.

Re: New image spam

mouss wrote: > how about > > header __CTYPE_MULTIPART Content-Type =~ m{multipart/\w}i > mimeheader __MIME_CTYPE_IMAGE Content-Type =~ m{image/\w} > mimeheader __MIME_CTYPE_TEXT Content-Type =~ m{text/\w} > > meta MULTIPART_IMG_NO_TEXT (__CTYPE_MULTIPART && __CTYPE_IMAGE && > !__CTYPE_TEXT) I l

Re: New image spam

On Sun, 24 May 2009, John Hardin wrote: On Sun, 24 May 2009, Cedric Knight wrote: I think image with not text in the body part at all is pretty rare, but I might do something like that if I was sending a picture to myself. I think most mailers will do that if you compose a message and drop

Re: New image spam

On Sun, 24 May 2009, Cedric Knight wrote: header __CTYPE_MULTIPART_MXD Content-Type =~ /multipart\//i Veto. If you want to ignore the subtype, name the rule __CTYPE_MULTIPART_ANY. because I've also recall them coming in as multipart/related. The inbuilt rule only looked for "image/jpeg",

Re: New image spam

Cedric Knight a écrit : > Jeremy Morton wrote: >> Recently I've been receiving some new image spams, subtly different >> from the one this rule is designed to mark: >> http://markmail.org/message/zio642mxs5p42kxa >> >> ... in that it actually does have a blank text MIME part. >> >> Here's an exampl

Re: New image spam

Jeremy Morton wrote: > Recently I've been receiving some new image spams, subtly different > from the one this rule is designed to mark: > http://markmail.org/message/zio642mxs5p42kxa > > ... in that it actually does have a blank text MIME part. > > Here's an example of one such spam: > http://rafb

Re: New image spam

Jeremy Morton a écrit : > Hi, > > Recently I've been receiving some new image spams, subtly different from > the one this rule is designed to mark: > http://markmail.org/message/zio642mxs5p42kxa > > ... in that it actually does have a blank text MIME part. > > Here's an example of one such spam:

New image spam

Hi, Recently I've been receiving some new image spams, subtly different from the one this rule is designed to mark: http://markmail.org/message/zio642mxs5p42kxa ... in that it actually does have a blank text MIME part. Here's an example of one such spam: http://rafb.net/p/ppyJAS34.html I don

New Image Spam

Hi everyone. I'm receiving some new image spam and was wondering if anyone had a technique for it. The image is now an actual image of some porn with a URL at the top of it. I'm using Fuzzy OCR to scan but I don't think Fuzzy checks the URL's. Any ideas? For those that